Public bug reported:

As seen in the LXC autopkgtest results:
http://autopkgtest.ubuntu.com/packages/lxc

The source of those failures is that pool.sks-keyserver.net isn't
allowed from within the autopkgtest environment. For that reason, LXC
will switch to the http transport on port 80 when http_proxy is set in
the environment.

Under gpgv1, this was causing gpg to grab keys through the specified
proxy as required in the autopkgtest environment and in a lot of
corporate environments where internet access is only available through
proxy.


In gpgv2, it looks like dirmngr just entirely ignores any proxy variable and 
just attempts to fetch the key directly rather than through the proxy, leading 
to a failure.

### Xenial
iptables -I OUTPUT -p tcp --dport 80 -j REJECT
ip6tables -I OUTPUT -p tcp --dport 80 -j REJECT

root@xenial:~# gpg --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys 
0xBAEFF88C22F6E216
gpg: requesting key 22F6E216 from hkp server p80.pool.sks-keyservers.net
?: p80.pool.sks-keyservers.net: Connection refused
gpgkeys: HTTP fetch error 7: couldn't connect: Connection refused
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0
gpg: keyserver communications error: keyserver unreachable
gpg: keyserver communications error: public key not found
gpg: keyserver receive failed: public key not found

root@xenial:~# http_proxy=http://sateda.srv.mtl.stgraber.net:3128 gpg 
--keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys 0xBAEFF88C22F6E216
gpg: requesting key 22F6E216 from hkp server p80.pool.sks-keyservers.net
gpg: key 22F6E216: "LXC pre-built images <lxc-de...@lists.linuxcontainers.org>" 
not changed
gpg: Total number processed: 1
gpg:              unchanged: 1


### Yakkety
root@yakkety:~# iptables -I OUTPUT -p tcp --dport 80 -j REJECT
root@yakkety:~# ip6tables -I OUTPUT -p tcp --dport 80 -j REJECT

root@yakkety:~# gpg --keyserver hkp://p80.pool.sks-keyservers.net:80 
--recv-keys 0xBAEFF88C22F6E216
gpg: keyserver receive failed: Connection refused

root@yakkety:~# http_proxy=http://sateda.srv.mtl.stgraber.net:3128 gpg 
--keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys 0xBAEFF88C22F6E216
gpg: keyserver receive failed: Connection refused

** Affects: gnupg2 (Ubuntu)
     Importance: Critical
     Assignee: Dimitri John Ledkov (xnox)
         Status: Triaged

** Changed in: gnupg2 (Ubuntu)
     Assignee: (unassigned) => Dimitri John Ledkov (xnox)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1625848

Title:
  gnupg2 appears to ignore http_proxy, fails to retrieve keys

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnupg2/+bug/1625848/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to